In today's podcast, we hear about the cryptowars down under. Major DDoS incident in Finland. Bears in the home routers, and concerns about IoT and power grid security prompt a US Senator to demand answers. Smart cities present big attack surfaces. Preliminary notes on patches. ZTE and Huawei devices formally disinvited from US Government networks. Cyber retaliation expected from Russia and Iran over sanctions. And locking people in a room to teach them good cyber hygiene. Justin Harvey from Accenture on threat hunting. Guest is Bob Stevens from Lookout discussing app-based malware on mobile devices.
Dave Bittner: [00:00:03] Crypto Wars down under. A major DDoS incident's been found in Finland. Bears in the home routers and concerns about IoT and power grid security prompt a U.S. senator to demand answers. Smart cities present big attack surfaces. Preliminary notes on patches. ZTE and Huawei devices have formerly been disinvited from U.S. government networks. And, locking people in a room to teach them good cyber hygiene.
Dave Bittner: [00:00:37] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 14, 2018. There's a fresh offensive in the Crypto Wars, and this one comes out of Australia. The government has announced its proposed regulations that would address encrypted communications used for criminal or espionage purposes. Mindful, no doubt, of the shirty reaction the other side in the Crypto Wars will have to any proposal that involves mandatory backdooring of systems or other measures that would weaken end-to-end encryption, the government explicitly rules out any intention of backdooring systems. Instead, in cases of criminal investigations, national security matters or significant threats to the financial system, the government would be able to require companies to render various forms of assistance.
Dave Bittner: [00:02:38] Where a company held a key, for example, it might be called upon to let investigators use it to inspect communications. Or, a company might be required to assist with development of a tool to gain access to otherwise inaccessible traffic. This hasn't mollified opponents of the measure, who don't see how the regulations could accomplish their purpose without unacceptable compromises of end-to-end encryption. Critics tend to see the proposed regulations as either a backdoor to back doors or as a species of magical thinking in which encryption would be defeated without defeating encryption. But the government is determined to obtain the capability to read traffic associated with significant criminal terrorist and nation-state threats.
Dave Bittner: [00:03:25] On Sunday, Finland sustained a major distributed denial-of-service attack. The country's Information and Communications Technology Center Valtori called it, the biggest attack we've had in the past few months, implying a relatively high rate of attack. Several citizen-facing websites were unavailable, including the National Online Identity Verification Service, Suomi.fi. The Defense Ministry was unaffected. There's no attribution yet, but earlier DDoS attacks have been ascribed to unnamed foreign actors.
Dave Bittner: [00:04:01] Concerns about state-sponsored attacks on industrial and consumer internet of things devices remain high. In the U.S., these concerns continue to center on Russian activity. There have been recent warnings about GRU compromise of home routers, known about for some time but only imperfectly redressed, such devices being notoriously easy to ignore when patching. Other concerns focus on the power grid, where GRU probes of utility business networks have been widespread.
Dave Bittner: [00:04:31] It's worth noting, as industrial cybersecurity firm Dragos did in its blog last week, that GRU presence in business networks isn't the same as staging disruptive malware in the industrial control systems used by electric utilities. It's a serious matter, especially given the role compromised business systems played in Russia's takedown of portions of Ukraine's grid. But it's not as if Moscow has installed a kill switch for Con Ed on President Putin's nightstand right next to his copy of "The Art of the Deal." So - worth taking seriously, but also soberly and without panic.
Dave Bittner: [00:05:09] Congress continues to push the U.S. administration about power security. The most recent legislative paladin to ride to the grid's defense is Senator Markey, a Democrat from Massachusetts who's widely circulating his letters of concern. He's asked individual utilities if they were victims of Russian probes the Department of Homeland Security warned about, what measures they're taking to cover themselves from third-party risks and if they've complied with recommendations from the North American Electric Reliability Corporation. And, on that last, if not, why not?
Dave Bittner: [00:05:43] He's also asked for detailed descriptions of their security measures, a detailed account of any successful or attempted physical or cyberattacks, the utilities' opinion of FERC critical infrastructure standards, and an account of any other vulnerabilities they've turned up and what they intend to do about them. NERC, federal agencies and power marketing associations have received similar letters. Any responses he receives will be interesting, and some of them will be surprising.
Dave Bittner: [00:06:14] Smart city technology presents an especially attractive attack surface. There's a growing concern about the sensors that technology deploys. IBM security and data security firm Threatcare studied sensor hubs in particular, focusing on those delivered by three of the leaders in that sector - Libelium, Echelon and Battelle. The hubs integrate inputs from a variety of sensors in order to provide a kind of swift situational awareness of conditions on the ground, including traffic, weather, pollution levels and so on. The researchers found and disclosed 17 bugs in the hubs that they thought posed a significant risk. The vendors have patched them, but two points are worth bearing in mind. First, many of the issues were familiar IoT problems like easily guessed default passwords. Second, sensors, like so many IoT devices, are notoriously easy to overlook when applying patches or upgrades.
Dave Bittner: [00:07:13] Studies show that we are spending more of our online time on mobile devices, relying on apps to help us keep in touch and manage our day-to-day tasks. That, of course, makes mobile devices an attractive target. Bob Stevens is vice president of public sector at Lookout, a company that provides products to help protect mobile devices.
Bob Stevens: [00:07:34] As you know, I mean, applications have caught on quite successfully. I mean, it is an app-based world now. You know, unfortunately, the bad guys have figured that out as well. So they're starting to or have been targeting applications, particularly on mobile devices, to try and steal data or credentials or, you know, to be able to turn your microphone on and listen in on meetings or to take your photos or turn your camera on and figure out where you are and your surroundings. So, you know, things of that nature.
Dave Bittner: [00:08:02] Where are you usually seeing these pop up? I mean, I think we hear the stereotype of the flashlight app that does a lot more than what it's advertised doing. But are you seeing particular trends here?
Bob Stevens: [00:08:15] Oh, we are, yes. You know, one trend is, you know, is phishing. And I don't know that you could say that that's a new trend. I mean, phishing has been popular on desktops for a long time. You know, the big difference is that, you know, on a desktop, we - the phishing came via email. But in mobile world, it can come from a lot of different places. It can come from a text. It can come via an application like Facebook or a communications application like WhatsApp or Signal or Telegram. It can come via the email. It can come, you know, via the web. So there's a lot of different ways for, you know, somebody to phish you on a mobile device.
Dave Bittner: [00:08:55] And are you seeing that, you know, that one platform versus the other does a better job of keeping these types of apps out of their app store?
Bob Stevens: [00:09:03] You know, they both try. But, you know, the bad guys are pretty creative, you know. And I'd hesitate to say that one does better than the other. You know, I think that they're - they both put together equal amounts of effort to ensure they're providing, you know, safe applications for their users. But the bad guys - like I said, the guys still get it. And, you know, the bad guys don't necessarily use the app stores either.
Bob Stevens: [00:09:26] As an example, there is one threat that we recently announced called Stealth Mango. And, you know, it started with a phishing attempt, but then they would send you to a - not one of the popular app stores but a different app store to download an upgrade of an application. And, of course, once you got that application, you had malware on your device. You know, it didn't come from, you know, the popular ones. But it's still out there, and they're able to get it on your device.
Dave Bittner: [00:09:54] So what are your recommendations for folks to better protect themselves?
Bob Stevens: [00:09:57] Well, you know, it's a defense in depth, as with anything. You know, an enterprise should be deploying some sort of mobile device management - or they now call it EMM, Enterprise Mobility Management - to ensure that the policies that your organization want to have enforced are enforced. So what I mean by that is, you know, Lookout's on a device and we detect that, you know, you've just downloaded a version of Facebook that that is malicious, that MDM can now take over and quarantine you from the network so that you can't do any more damage or the bad guy can't do any more damage or - and have you perform some sort of remediation on your device to remove the application.
Bob Stevens: [00:10:38] So I think that's required - you know, an application like Lookout that's looking for malware, looking for risky behavior, looking for network-based threats, looking for phishing attempts so that they can be blocked before any harm can be done and safe browsing to ensure that you're going to, you know, safe websites. You know, deploying some sort of encryption is always good. You want to make sure that the data that's on your devices encrypted so that even if they are able to access something, you know, it's worthless to them.
Bob Stevens: [00:11:07] So I think those are probably the three things that you want to look at. Mobile devices are used for just about everything now. You know, your banking apps, all your travel, your calendars, your email - there's a lot of data there. It's basically your life. So you need to protect it as if it's one of the most important things that's in your life.
Dave Bittner: [00:11:24] That's Bob Stevens from Lookout.
Dave Bittner: [00:11:28] It's Patch Tuesday, with Microsoft and others expected to rollout fixes over the course of the day. Some noteworthy patches have already been released over the last few days - a patch for NetComm 4G LTE Light Industrial M2M routers is out, addressing a critical vulnerability. Users are advised to patch quickly. Oracle has addressed a vulnerability that could compromise an Oracle database and grant shell access to underlying servers. President Trump has signed legislation barring ZTE and Huawei devices from federal enterprises. Other sanctions, particularly against Russia and Iran, are widely expected to prompt cyber retaliation.
Dave Bittner: [00:12:12] Finally, here's a cyber hygiene training approach from the National Geospatial Agency. Lock employees in a room until they get it. That sounds more sinister than, in fact, it is. And the reality sounds way more fun than the sort of Alcatraz solitary the headlines suggest. The NGA will be running training events in its Virginia and Missouri campuses. They have hired training company Living Security to design escape rooms that one can get out of by solving various cybersecurity puzzles that focus on the NGA's tenets and risks and that will use training moments and challenge questions customized to NGA's information technology and security policies and messaging to provide consistency with the cybersecurity program. So let us know how that works out you NGA types.
Dave Bittner: [00:13:07] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:14:08] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. We wanted to touch on threat hunting today. Why don't we start off - what is threat hunting, and what is it not?
Justin Harvey: [00:14:21] So threat hunting is looking for adversaries that are already present within your network or your endpoints. Enterprises today are spending money on things like antivirus and firewalls and intrusion detection and prevention systems for their network. But what do you do if any of that fails? It really only takes a couple systems for an adversary to move around or to subvert and then they're in and persistent within your environment.
Justin Harvey: [00:14:51] And so what threat hunting is is the constant and continuous searching for basically two things, Dave. No. 1, it's looking for the anomalous. So it's looking for things that don't smell quite right, but it could be a new patch that has changed that registry key or a new program has shown up because someone installed it. Or looking at things like the suspicious, things like perhaps this registry key was added with this new probable potentially unwanted program, or the suspicious being someone logging in directly into a Linux system using a root login instead of logging in as the user and then becoming super user. So threat hunting is really looking for the things that are misplaced or shouldn't be there.
Dave Bittner: [00:15:42] So is this an expensive thing to spin up within an organization? When do you know when it's time to activate this process?
Justin Harvey: [00:15:50] Well, I think all enterprises of sufficient size - meaning really in the SMB market, I think threat hunting is going to be too spendy to do it yourself. I think that most managed service providers or managed detection and response providers should be supplying that for the SMB market. But for the larger enterprises that are managing their own infrastructure, it should absolutely be a part of their cyberdefense program. The barrier to entry to threat hunting is that there's simply not enough people in the industry today in order to not only run the threat hunt program but develop the threat hunt program.
Justin Harvey: [00:16:33] Many of my clients are struggling with saying, OK, I know we need to do threat hunting. And I kind of have some people to do it, but what do I do? There have been some vendors out there that are automating their EDR systems in order to codify things like the MITRE ATT&CK Matrix and putting that in their agent or in their software so that human beings don't have to remember every little nitpicky thing that the ATT&CK MATRIX for MITRE presupposes. And so with that automation, it still gives our threat hunters a leg up in order to find the anomalous and the suspicious.
Dave Bittner: [00:17:11] So what's your advice? What's the best way for someone to get started?
Justin Harvey: [00:17:14] The best advice here is to bring in a trusted third party, hopefully one that has a threat hunt methodology in order to give to the threat hunters. In my experience, or at least in the old days - the old days being several years ago - threat hunting was just merely hiring a bunch of smart infosec people and throwing them against a problem, saying, go find evil. Go find the anomalous and the suspicious. And that hasn't been working at scale.
Justin Harvey: [00:17:43] So I think No. 1 is to settle on a threat hunting methodology. Ours, the one that we've developed amongst my team, is what we call intel-driven hypothesis-based threat hunting methodology. But there's a lot of other types of methodologies out there that are just as good. The second step, Dave, would be focusing on a technology set that will support codifying things like the MITRE ATT&CK Matrix into an EDR product.
Justin Harvey: [00:18:14] So not only do you have to have the people, the methodology, but you also have to have the tools and the visibility amongst the endpoints and the networks in order to surface that telemetry and then to analyze it. So some of our customers utilize EDR products that send all their data back to a centralized source. Perhaps it's Splunk. Perhaps it's their SIM. Perhaps it's the EDR console. And then they hunt within that environment in order to find those adversaries latent within the network and the endpoints.
Dave Bittner: [00:18:47] Justin Harvey, thanks for joining us.
Dave Bittner: [00:18:54] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:19:02] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:27] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.